Texas HB 300 / TMRPA vs HIPAA
Federal HIPAA gets all the attention, but Texas medical practices, healthcare organizations, and many businesses that handle health information are also subject to the Texas Medical Records Privacy Act (TMRPA), substantially amended by House Bill 300 in 2012. TMRPA goes beyond HIPAA in important ways: a much broader definition of "covered entity" that pulls in many non-HIPAA businesses, mandatory employee training within 60 days of hire and biennially, faster patient access to electronic medical records (15 business days vs HIPAA's 30), stricter restrictions on sale of PHI, and Texas Attorney General enforcement authority with multi-million-dollar settlement track record. This guide covers the key TMRPA requirements that go beyond HIPAA, who is covered (often surprising businesses), the training and breach notification obligations, and how to build a single unified information security program that satisfies both frameworks.
What We Offer
Comprehensive solutions tailored for Houston-area businesses
TMRPA Has a Broader Definition of "Covered Entity"
HIPAA"s covered entity definition is narrow — health plans, health care clearinghouses, and most health care providers. TMRPA's 'covered entity' definition is dramatically broader: any person or entity that 'engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." This sweeps in many businesses that are not HIPAA covered entities — researchers, billing services, certain technology vendors, marketing firms working with health information, and others.
Mandatory Training Within 60 Days of Hire
TMRPA requires every covered entity to provide training to employees who handle PHI within 60 days of hire and at least every two years thereafter. Training must cover federal and Texas privacy law. Documentation of training is required. HIPAA also requires training but is less prescriptive about timing and frequency.
Stricter Notification Timeline for State Law Violations
TMRPA has its own notification scheme that interacts with HIPAA's HHS OCR notification and the Texas Identity Theft Enforcement and Protection Act. TMRPA-specific violations can be reported to the Texas Attorney General. Texas AG enforcement against TMRPA violations has been active since 2012.
Civil Penalties Per Violation
TMRPA authorizes the Texas Attorney General to seek civil penalties up to $5,000 per negligent violation, $25,000 per knowing or intentional violation, and $250,000 for violations involving identity theft for financial gain. Penalties are per violation, can be assessed cumulatively, and have been imposed in Texas AG enforcement actions.
Patient Right to Electronic Medical Records (15 Days)
TMRPA requires covered entities to provide electronic medical records to patients on request within 15 business days. HIPAA's analogous right has a 30-day default. Texas patients can request faster electronic record access than federal law guarantees.
Sale-of-PHI Restrictions
TMRPA restricts the sale of PHI without explicit patient authorization more strictly than HIPAA. Covered entities cannot sell PHI for marketing or commercial purposes without specific written patient consent. The HIPAA exceptions for treatment, payment, and operations do not eliminate TMRPA's stricter consent requirements.
Why Choose LayerLogix?
Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Spring, Conroe, Pearland, Katy, Galveston, Clear Lake, Dallas, Austin.
Texas-Specific Compliance Without Duplicate Programs
Texas medical practices and health-information-handling businesses can structure a single information security program that satisfies both HIPAA and TMRPA simultaneously — but only if the program is built with TMRPA's stricter requirements baked in (training cadence, AG notification awareness, sale-of-PHI restrictions, electronic access timeline). Bolting TMRPA onto an existing HIPAA program after the fact is inefficient and creates compliance gaps.
Avoid Texas AG Enforcement
Texas Attorney General TMRPA enforcement actions have included multi-million-dollar settlements against Texas healthcare entities. Documented compliance — particularly around training, breach response, and sale-of-PHI restrictions — is the defense.
Coverage for Non-HIPAA Texas Businesses
Many Texas businesses think they have no medical privacy obligations because they are not HIPAA covered entities — but TMRPA's broader definition often pulls them in. Marketing firms working with health data, certain technology vendors, billing services, researchers, and others may be TMRPA covered entities even when they are not HIPAA covered entities.
Defensible Patient Access Compliance
Patient complaints to the Texas Attorney General about delayed or denied electronic medical record access are a steady source of TMRPA enforcement. A 15-business-day electronic record fulfillment process with documented procedures is the operational answer.
A Foundation for Adjacent Frameworks
TMRPA + HIPAA compliance work overlaps substantially with other healthcare frameworks (HITECH, 42 CFR Part 2 for substance use disorder, FDA cybersecurity guidance for medical devices) and with the broader cybersecurity baseline (PAM, MFA, encryption, monitoring). A well-built program serves as foundation for adjacent compliance work.
Our Process
Frequently Asked Questions
What is Texas HB 300 / TMRPA?▼
My business is not a HIPAA covered entity. Am I still covered by TMRPA?▼
How does TMRPA training differ from HIPAA training?▼
How does Privileged Access Management (PAM) help with TMRPA and HIPAA?▼
What are the Texas AG penalties for TMRPA violations?▼
Can a single information security program satisfy both HIPAA and TMRPA?▼
Ready to Get Started?
Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.